CVE-2025-43813
📋 TL;DR
This vulnerability in Liferay Portal/DXP allows remote attackers to perform path traversal attacks via the ComboServlet, potentially accessing arbitrary CSS and JS files and causing denial-of-service by loading files multiple times. Affected systems include Liferay Portal 7.4.0-7.4.3.107 and Liferay DXP multiple versions from 2023.Q4.0 through older unsupported releases.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive configuration files, source code, or other restricted files through path traversal, potentially leading to information disclosure and system compromise.
Likely Case
Unauthorized access to CSS/JS files and potential denial-of-service through resource exhaustion from repeated file loading.
If Mitigated
Limited impact with proper network segmentation, WAF rules blocking path traversal patterns, and file permission restrictions.
🎯 Exploit Status
Exploitation appears straightforward via crafted URLs to the ComboServlet endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.108+, Liferay DXP 2023.Q4.5+, 2023.Q3.9+, 7.4 update 93+, 7.3 update 36+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43813
Restart Required: Yes
Instructions:
1. Download appropriate patch from Liferay customer portal. 2. Backup current installation. 3. Apply patch following Liferay's patch installation guide. 4. Restart Liferay instance. 5. Verify fix by testing ComboServlet endpoint.
🔧 Temporary Workarounds
Disable ComboServlet
allDisable the vulnerable ComboServlet component to prevent exploitation
Edit portal-ext.properties: combo.servlet.enabled=false
Restart Liferay
WAF Rule Implementation
allImplement Web Application Firewall rules to block path traversal patterns in ComboServlet requests
Configure WAF to block requests containing '../' or similar path traversal patterns to /combo endpoint
🧯 If You Can't Patch
- Implement strict network access controls to limit access to Liferay ComboServlet endpoints
- Deploy WAF with rules specifically blocking path traversal patterns in URL parameters
🔍 How to Verify
Check if Vulnerable:
Test by accessing /combo endpoint with path traversal payloads (e.g., /combo?../../WEB-INF/web.xml) and checking if restricted files are accessible.Check Version:
Check Liferay version via Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
After patching, attempt the same path traversal tests; successful fix should return error or deny access to restricted files.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to /combo endpoint with unusual parameters
- Access logs showing path traversal patterns (../) in ComboServlet URLs
- Error logs showing file access violations
Network Indicators:
- Unusual traffic patterns to /combo endpoint
- Requests with multiple file parameters in single ComboServlet call
SIEM Query:
source="liferay.logs" AND (uri_path="/combo" AND (query_string="*../*" OR query_string="*..\\*"))